1 |
From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001 |
2 |
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
3 |
Date: Fri, 10 Jun 2016 16:51:18 +0200 |
4 |
Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain |
5 |
DCs |
6 |
|
7 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 |
8 |
|
9 |
Pair-Programmed-With: Andreas Schneider <asn@samba.org> |
10 |
Signed-off-by: Guenther Deschner <gd@samba.org> |
11 |
Signed-off-by: Andreas Schneider <asn@samba.org> |
12 |
Reviewed-by: Alexander Bokovoy <ab@samba.org> |
13 |
(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee) |
14 |
--- |
15 |
source3/winbindd/winbindd_cm.c | 16 +++++++++++++++- |
16 |
1 file changed, 15 insertions(+), 1 deletion(-) |
17 |
|
18 |
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c |
19 |
index 45e3fad..f1f98db 100644 |
20 |
--- a/source3/winbindd/winbindd_cm.c |
21 |
+++ b/source3/winbindd/winbindd_cm.c |
22 |
@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, |
23 |
struct cli_credentials *creds; |
24 |
NTSTATUS status; |
25 |
bool force_machine_account = false; |
26 |
+ bool ok; |
27 |
|
28 |
/* If we are a DC and this is not our own domain */ |
29 |
|
30 |
@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, |
31 |
CRED_DONT_USE_KERBEROS); |
32 |
} |
33 |
|
34 |
- if (creds_domain != domain) { |
35 |
+ /* |
36 |
+ * When we contact our own domain and get a list of the trusted domain |
37 |
+ * we have the information if we are able to contact the DC with |
38 |
+ * with our machine account password. |
39 |
+ */ |
40 |
+ ok = winbindd_can_contact_domain(domain); |
41 |
+ if (!ok) { |
42 |
/* |
43 |
* We can only use schannel against a direct trust |
44 |
*/ |
45 |
@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, |
46 |
|
47 |
sec_chan_type = cli_credentials_get_secure_channel_type(creds); |
48 |
if (sec_chan_type == SEC_CHAN_NULL) { |
49 |
+ DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n", |
50 |
+ domain->name); |
51 |
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; |
52 |
} |
53 |
|
54 |
@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, |
55 |
conn->netlogon_flags = netlogon_creds->negotiate_flags; |
56 |
TALLOC_FREE(netlogon_creds); |
57 |
|
58 |
+ /* |
59 |
+ * FIXME: Document in which case we are not able to contact |
60 |
+ * a DC without schannel. Which information do we try to get |
61 |
+ * from this DC? |
62 |
+ */ |
63 |
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { |
64 |
if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { |
65 |
result = NT_STATUS_DOWNGRADE_DETECTED; |
66 |
-- |
67 |
2.8.4 |
68 |
|